L2TP and PPTP...local vs. network users?

OK...per experimentation, it would appear that L2TP works with Local Users, but PPTP does not. However, the PPTP VPN process should be able to authenticate against the built-in RADIUS server, which does work with Local Users. The question is, how do I make this happen? Google is only vaguely my friend here; I've managed to get the RADIUS service configured:

# dseditgroup -o create -n . -r RADIUS com.apple.access_radius

# radiusconfig -setconfig auth yes

# radiusconfig -setconfig auth_badpass yes

# radiusconfig -setconfig auth_goodpass yes

# radiusconfig -installcerts /etc/certificates/<server_cert_string>.key.pem /etc/certificates/<server_cert_string>.cert.pem /etc/certificates/<server_cert_string>.chain.pem

# radiusconfig -setcertpassword

Enter Certificate Passphrase: Apple:UseCertAdmin

# radiusconfig -start

After adding a user "testuser" to the com.apple.access_radius group, I can then run a successful test using the built-in configuration for localhost:

# time echo "User-Name=testuser,User-password=testpass,Framed-Protocol=PPP " | radclient -x -r 1 -t 10 localhost:1812 auth testing123

Sending Access-Request of id 106 to 127.0.0.1 port 1812

User-Name = "testuser"

User-Password = "testpass"

Framed-Protocol = PPP

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=106, length=32

Framed-Protocol = PPP

Framed-Compression = Van-Jacobson-TCP-IP

real 0m6.658s

user 0m0.018s

sys 0m0.009s

One concerning issue is the fact that it takes almost 7 seconds for the RADIUS server to respond, but at least it does work.

Now I need to configure PPTP to use the RADIUS server. I create a text file "vpnrad" with the following contents:

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "testing123"

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "127.0.0.1:1812"

Then I use "serveradmin settings < vpnrad" to pull those settings into the VPN config. That works. But the PPTP service doesn't appear to be hitting the RADIUS service at all. I've tried the "Address" key both with and without the port (1812) tagged onto it, same behavior either way. The RADIUS log shows no hits, and the VPN log shows:

2015-06-01 14:15:40 CDT Incoming call... Address given to client = 10.0.77.95

Mon Jun 1 14:15:41 2015 : Directory Services Authentication plugin initialized

Mon Jun 1 14:15:41 2015 : Directory Services Authorization plugin initialized

Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!

Mon Jun 1 14:15:41 2015 : PPTP incoming call in progress from '50.24.10.202'...

Mon Jun 1 14:15:41 2015 : PPTP connection established.

Mon Jun 1 14:15:41 2015 : using link 1

Mon Jun 1 14:15:41 2015 : Using interface ppp1

Mon Jun 1 14:15:41 2015 : Connect: ppp1 <--> socket[34:17]

Mon Jun 1 14:15:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:41 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:44 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:47 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:47 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:47 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:47 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:50 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:50 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:50 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:50 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:53 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:53 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:53 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:53 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:56 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:56 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:56 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:56 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:59 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:15:59 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:15:59 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:15:59 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:02 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:16:02 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:02 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:16:02 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:05 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:16:05 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:05 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:16:05 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:08 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]

Mon Jun 1 14:16:08 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:08 2015 : lcp_reqci: returning CONFACK.

Mon Jun 1 14:16:08 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]

Mon Jun 1 14:16:11 2015 : LCP: timeout sending Config-Requests

Mon Jun 1 14:16:11 2015 : Connection terminated.

Mon Jun 1 14:16:11 2015 : PPTP disconnecting...

Mon Jun 1 14:16:11 2015 : PPTP disconnected

2015-06-01 14:16:11 CDT --> Client with address = 10.0.77.95 has hungup

This is the VPN log output when a Local User tries to connect via PPTP:

Tue Jun 2 13:49:40 2015 : Directory Services Authentication plugin initialized

Tue Jun 2 13:49:40 2015 : Directory Services Authorization plugin initialized

Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!

Tue Jun 2 13:49:40 2015 : PPTP incoming call in progress from '70.196.78.203'...

Tue Jun 2 13:49:41 2015 : PPTP connection established.

Tue Jun 2 13:49:41 2015 : using link 0

Tue Jun 2 13:49:41 2015 : Using interface ppp0

Tue Jun 2 13:49:41 2015 : Connect: ppp0 <--> socket[34:17]

Tue Jun 2 13:49:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

Tue Jun 2 13:49:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

Tue Jun 2 13:49:41 2015 : lcp_reqci: returning CONFACK.

Tue Jun 2 13:49:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

Tue Jun 2 13:49:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

Tue Jun 2 13:49:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

Tue Jun 2 13:49:44 2015 : lcp_reqci: returning CONFACK.

Tue Jun 2 13:49:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]

Tue Jun 2 13:49:44 2015 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]

Tue Jun 2 13:49:44 2015 : sent [LCP EchoReq id=0x0 magic=0x733b2b1a]

Tue Jun 2 13:49:44 2015 : sent [CHAP Challenge id=0x10 <681a6b63727e7b1d0242010c1f172511>, name = "server_fqdn.com"]

Tue Jun 2 13:49:44 2015 : rcvd [LCP EchoReq id=0x0 magic=0x17d149d0]

Tue Jun 2 13:49:44 2015 : sent [LCP EchoRep id=0x0 magic=0x733b2b1a]

Tue Jun 2 13:49:44 2015 : rcvd [LCP EchoRep id=0x0 magic=0x17d149d0]

Tue Jun 2 13:49:44 2015 : rcvd [CHAP Response id=0x10 <8fb162434e91ead66ff3bd6344cf461e000000000000000009f982e07a158a7c31d62a7c2571fc e4113c5967ab32305300>, name = "testuser"]

Tue Jun 2 13:49:52 2015 : DSAuth plugin: unsupported authen authority: recved Kerberosv5;;testuser@LKDC:SHA1.48C48F920285753FE8EC5A1DE8113FF79618CC46;LKDC:SH A1.48C48F920285753FE8EC5A1DE8113FF79618CC46, want ApplePasswordServer

Tue Jun 2 13:49:52 2015 : DSAuth plugin: MPPE key required, but its retrieval failed.

Tue Jun 2 13:49:52 2015 : sent [CHAP Failure id=0x10 "S=A6417FB4D646E7ACFA53B70F24AACCCDB754BD4C M=Access granted"]

Tue Jun 2 13:49:52 2015 : CHAP peer authentication failed for textures

Tue Jun 2 13:49:52 2015 : sent [LCP TermReq id=0x2 "Authentication failed"]

Tue Jun 2 13:49:52 2015 : Connection terminated.

Tue Jun 2 13:49:52 2015 : PPTP disconnecting...

Tue Jun 2 13:49:52 2015 : PPTP disconnected